RE: IDS event filtering

From: Ofer Shezaf (Ofer.Shezaf_at_breach.com)
Date: 01/04/05

  • Next message: Chris Brown: "Re: Intrushield vs. ISS once more..."
    Date: Tue, 4 Jan 2005 05:40:44 -0500
    To: <focus-ids@lists.securityfocus.com>
    
    

    To add my two cents:

    Filtering is not only about yes and no, but also about severity.

    My experience shows that management report should include also a summary
    of unsuccessful attacks as they are used for policy creation and
    budgeting. In other words, I would like to show my boss that the world
    is dangerous, and that it attacks our systems.

    On the other hand in real time monitoring that produced actionable items
    I would not want to see events that do not pose immediate threat.

    The trick in many IDS/SIM systems is to set different severity levels:
    information only for non immediate events and high severity to events
    that pose immediate threat.

    Ofer Shezaf
    CTO, Breach Security
    Tel: +972.9.956.0036 ext.212
    Cell: +972.54.443.1119
    ofers@breach.com
    http://www.breach.com

    > -----Original Message-----
    > From: Billy Dodson [mailto:CraftedPacket@securitynerds.org]
    > Sent: Friday, December 31, 2004 5:37 PM
    > To: focus-ids@lists.securityfocus.com
    > Subject: IDS event filtering
    >
    > I am wanting to get an idea of what you guys out there filter from
    your
    > IDS sensors. Some of the sensors I monitor get TONS of events for
    MSSQL
    > control overflows. If the customer is patched for slammer and does
    not
    > have any SQL services on the internet, is it safe to filter out those
    > events? Do you still want to see that traffic even though you know
    your
    > are not vulnerable? Thanks!
    >
    >
    ------------------------------------------------------------------------

    --
    > Test Your IDS
    > 
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Chris Brown: "Re: Intrushield vs. ISS once more..."